Bulletin ID
Security update available for Adobe Commerce | APSB22-12
Bulletin ID |
Date Published |
Last Updated |
Priority |
---|---|---|---|
APSB22-12 |
February 13, 2022 |
February 17, 2022 |
1 |
Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.
In order to stay up to date with the latest protections, customers must apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it.
Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.
Product | Version | Platform |
---|---|---|
Adobe Commerce | 2.4.3-p1 and earlier versions |
All |
2.3.7-p2 and earlier versions |
All |
|
Magento Open Source |
2.4.3-p1 and earlier versions |
All |
2.3.7-p2 and earlier versions | All |
Note: Adobe Commerce and Magento Open Source versions 2.3.0 to 2.3.3 are not affected.
Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product | Updated Version | Platform | Priority Rating | Installation Instructions |
---|---|---|---|---|
Adobe Commerce 2.4.3 - 2.4.3-p1
|
All |
1 |
||
Adobe Commerce 2.3.4-p2 - 2.4.2-p2
Magento Open Source 2.3.4-p2 - 2.4.2-p2 |
||||
Adobe Commerce 2.3.3-p1 - 2.3.4
Magento Open Source 2.3.3-p1 - 2.3.4 |
Vulnerability Category | Vulnerability Impact | Severity | Authentication required to exploit? | Exploit requires admin privileges? |
CVSS base score |
CVSS vector |
Magento Bug ID | CVE number(s) |
---|---|---|---|---|---|---|---|---|
Improper Input Validation (CWE-20) |
Arbitrary Code Execution |
Critical |
No |
No |
9.8 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
PRODSECBUG-3118 |
CVE-2022-24086
|
Improper Input Validation (CWE-20) |
Arbitrary Code Execution |
Critical |
No | No | 9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
PRODSECBUG-3120 |
CVE-2022-24087 |
February 17th, 2022:
- Updated affected versions for CVE-2022-24086
- Updated CVE details and acknowledgements for CVE-2022-24087
February 14th, 2022:
- Clarified column headers in Vulnerability Details table
Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:
For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.
Bejelentkezés a fiókba